1 Answer
1

One of the consequences of "manifest_version": 2 is that Content Security Policy is enabled by default. And Chrome developers chose to be strict about it and always disallow inline JavaScript code - only code placed in an external JavaScript file is allowed to execute (to prevent Cross-Site Scripting vulnerabilities in extensions). So instead of defining getPageandSelectedTextIndex() function in popup.html you should put it into a popup.js file and include it in popup.html:

<script type="text/javascript" src="popup.js"></script>

And <button onclick="getPageandSelectedTextIndex()"> has to be changed as well, onclick attribute is also an inline script. You should assign an ID attribute instead: <button id="button">. Then in popup.js you can attach an event handler to that button:

This is so stupid. Who came up with this idea?! Now I have to change all my inline onclicks and put them in an external js file. And I have a bunch of files including them.
–
Derek 朕會功夫Sep 15 '12 at 6:22

@Derek: It's a much better approach security-wise, lots of security issues happen because people aren't careful enough with innerHTML and such. Regardless of that, it seems that Chrome somewhat relaxed the content policy requirements in current Canary builds, unsafe-inline might now be supported as well.
–
Wladimir PalantSep 15 '12 at 12:24

@wladimir - hope they will relax the policy in he future!
–
Derek 朕會功夫Sep 21 '12 at 13:11